Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Need help Spyware, possibly Virus? Have HiJackThis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Need help Spyware, possibly Virus? Have HiJackThis log

Unread postby tanya » March 22nd, 2005, 9:55 pm

I've tried everything I can think of. Used Spybot and Ad-awareSE, but it's not getting any better. Can't use email anymore, limited internet. I really don't even know what to do with this HiJackThis log, just downloaded it and ran it because that seems like what everyone else is doing. Any chance you could look at this log and help me figure out what to do next? Thank you for any help you can provide...

Logfile of HijackThis v1.98.2
Scan saved at 6:53:42 PM, on 3/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\America Online 6.0b\aoltray.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0b\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/358330926.chm::/win.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7481252609
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
tanya
Active Member
 
Posts: 5
Joined: March 22nd, 2005, 9:27 pm
Location: NorthWest
Advertisement
Register to Remove

Unread postby wng_z3r0 » March 22nd, 2005, 10:08 pm

Hi and welcome to the forums. My name is wng_z3r0 and I will be looking over your log. Please allow me some time to research your system.
In the meantime:
Please "Bookmark" or "Add to favorites" your thread so that you easily can find it again. It easy to loose track of it because of the volume in this forum.
You should also go the dark blue lines above your first post in the thread and click "Track this topic". A list of options will open. Select "Immediate Email Notification" and click "Proceed"
This should result in you getting an E-mail whenever anybody posts anything in your thread. However, it is still a good idea to check it once in a while.
If you can not find your post please do as follows. Be sure that you are logged in. At the top of the page on the same line that shows that you are logged in there is "My Assistant". Click it and a new window opens. Under "Show me" there is "My last 10 posts" Click it and one or more posts will open. Go to the bottom of the post you want and click "Post Preview:#XXXXXXXXX" where X is a digit. This will bring you to your thread.

Also do these things:

It appears that you have an out of date version of hijack this installed.
To update to a later version please follow all of these steps:
1. Click on start (located on the lower left hand corner of your screen)
2. Click on My Computer
3. double click on c:
4. find the folder called "Program files" and double click that folder
5.In the program files folder, click the file menu, then click new->folder
6.Name the folder HJT
7.Look below to my signature :weee: Click on the link named "hijack this"
8. If it asks you if you want to run, save, or cancel the file click save
9. Browse to this location: c:/program files/HJT and save the file there
10. When the download is complete, go to c:/program files/hjt and extract the folder.
11.delete the zipped folder. You will not need it anymore.



Also, please download and run this program
http://download.nai.com/products/mcafee ... tinger.exe


When that is done, run Hijack This and post a new log by replying to this log. Please do not post your response in a different thread.

Good luck,
wng
Last edited by wng_z3r0 on March 23rd, 2005, 9:08 am, edited 1 time in total.
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby tanya » March 23rd, 2005, 12:40 am

First of all...I just want to say WOW...can't believe how fast you responded. Thank you for being so prompt.

OK, I download new version of HJT and the McAfee-avert\stinger, which I ran the scan and it came back clean.

Here is the newest log file from HJT...

Logfile of HijackThis v1.99.1
Scan saved at 9:34:03 PM, on 3/22/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\America Online 6.0b\aoltray.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\McAfee_avert Stinger\stinger.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0b\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/358330926.chm::/win.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7481252609
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
tanya
Active Member
 
Posts: 5
Joined: March 22nd, 2005, 9:27 pm
Location: NorthWest

Unread postby ChrisRLG » March 24th, 2005, 5:13 pm

Hi there, and welcome to the forums!


The following items are malware and must be fixed

  • Please set your system to show all files; please see here if you're unsure how to do this.
  • Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
    R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O1 - Hosts: 1159680172 auto.search.msn.com
    O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/358330926.chm::/win.exe
    O19 - User stylesheet: C:\WINDOWS\stsheets.dat

    Click on Fix Checked when finished and exit HijackThis.
  • Reboot into Safe Mode: please see here if you are not sure how to do this.

    Using Windows Explorer, locate the following files/folders, and delete them:

    C:\WINDOWS\stsheets.dat

    Exit Explorer, and reboot as normal afterwards.

Post back a fresh HijackThis log and we will take another look.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK

Unread postby tanya » March 26th, 2005, 3:13 pm

OK, was able to remove some, but not all....here is a new HJT log....I really appreciate all your help. :)

Logfile of HijackThis v1.99.1
Scan saved at 12:00:48 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\America Online 6.0b\aoltray.exe
C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\NavNT\defwatch.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: America Online 6.0 Tray Icon.lnk = C:\Program Files\America Online 6.0b\aoltray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/platypus/miniclipGameLoader.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 7481252609
O19 - User stylesheet: C:\WINDOWS\stsheets.dat
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\mcafee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
tanya
Active Member
 
Posts: 5
Joined: March 22nd, 2005, 9:27 pm
Location: NorthWest

Unread postby wng_z3r0 » March 29th, 2005, 6:58 pm

Hi! Chris was covering for me as I was out of town.

While there are several bad lines in your log, I believe that one line is the key to this mess. We will focus on getting rid of it first.

Please print these instructions or copy them to notepad. Then close all other windows and follow the steps below.
By your log, I have noticed that you have multiple anti-virus programs running:
Norton antivirus
Mcaffe

Running multiple anti-virus programs creates conflicts, and can render both programs useless to keeping your system secure. Please choose which antivirus product you wish to keep. Then uninstall the other anti-virus.

After you have uninstalled the anti-virus program, reboot your computer and then download CWshredder here:
http://cwshredder.net/bin/CWShredder.exe

when it is done downloading, read this line first:
1. you will need to close ALL windows including internet browsers and windows folders.
2. double click cwshredder
3. CLick the fix button
4. when it is done, note what infections (if any) were cleaned
5. come back to notepad and finish the fix

Download rootkit reveal here http://www.sysinternals.com/ntw2k/freew ... veal.shtml
(the download link is at the bottom of the page) Post the log here.

Then download registry search tool here:
http://www.billsway.com/vbspage/

Mcaffe/NAV might have a problem with this download because it is a script file. If the antivirus gives you trouble, just disable it temporarily...
Once it is downloaded, unzip it. Then double click on the script. In the search box, type stsheets
Post back the log.


Good luck,
wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby tanya » March 30th, 2005, 12:02 am

Ok, thanks for the information. I hope your vacation was good! :)
I removed McAffe, rebooted, then downloaded and ran CWShredder, but it came back saying "none infected"

Next I downloaded rootkit reveal, the scan came back clean, "no discrepancies found".

finally, I downloaded the registry search tool and here is the log...

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "stsheets" 3/29/2005 8:54:50 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u]
"StsPath"="\\??\\C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-21-1417066420-284587905-4097411637-1003\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"
tanya
Active Member
 
Posts: 5
Joined: March 22nd, 2005, 9:27 pm
Location: NorthWest

Unread postby wng_z3r0 » March 30th, 2005, 1:43 pm

Ok! good job so far. Now go back to that registry search tool and search for
Vchnt5u

Download locate.bat here:
http://www.atribune.org/downloads/locate.zip
Then unzip it, run the program, and post the results.
Also download killbox here and save it to your desktop. Don't use it yet, but we will need it later. Download it here:
http://www.bleepingcomputer.com/files/s ... illBox.zip


wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby wng_z3r0 » April 5th, 2005, 11:18 pm

tanya?
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby tanya » April 10th, 2005, 8:50 pm

Hi...sorry, I'm here now....

OK, I searched for Vchnt5u, here is the log for that....

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Vchnt5u" 4/10/2005 6:25:36 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\Control]
"ActiveService"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Enum]
"0"="Root\\LEGACY_VCHNT5U\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\Control]
"ActiveService"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Enum]
"0"="Root\\LEGACY_VCHNT5U\\0000"

****Also, I downloaded locate.bat and tried to run the program but I kept getting an error. (maybe I was doing something wrong) I tried several times to run it....here is the error I received....

16 bit MS-DOS Subsystem
C:\Windows\System32\cmd.exe
C:\Windows\System32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Microsoft Windows Applications. Choose 'Close' to terminate the Application. 'Close' 'Ignore'

I tried choosing Close and Ignore, but still nothing....sorry

So, I just moved on and downloaded killbox.

Let me know what else you would like me to do....
tanya
Active Member
 
Posts: 5
Joined: March 22nd, 2005, 9:27 pm
Location: NorthWest

Unread postby wng_z3r0 » April 11th, 2005, 4:45 pm

Please do this:
go to start-> run
type in:
notepad

hit enter.
In notepad, paste this:
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_VCHNT5U\0000\Control]
"ActiveService"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Vchnt5u\Enum]
"0"="Root\\LEGACY_VCHNT5U\\0000"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Vchnt5u\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]
"Service"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000]
"DeviceDesc"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\LogConf]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\Control]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_VCHNT5U\0000\Control]
"ActiveService"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u]
"DisplayName"="Vchnt5u"

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Security]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Enum]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Vchnt5u\Enum]
"0"="Root\\LEGACY_VCHNT5U\\0000"

[-HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[-HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[-HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[-HKEY_USERS\S-1-5-21-1417066420-284587905-4097411637-1003\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"

[-HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Styles]
"User Stylesheet"="C:\\WINDOWS\\stsheets.dat"



Then go to file-> save as
Save it as remove.reg
Save it to the desktop
Under the dropdown list entitled "save as type"
choose "all files"
Hit ok

download cwshredder here:
http://www.intermute.com/spysubtract/cw ... nload.html
(dont run the program just yet)

Then restart your computer in safe mode.
To do so, press f8 repeatedly during startup and select safe mode.

***YOU MUST BE IN SAFE MODE FOR THIS TO WORK*****
Go to the desktop.
Doubleclick on remove.reg
Say yes at the confirmation window


Now, run cwshredder and click the "fix" button


Then
Go to killbox.
In the blank under "full path to delete"
type in:
C:\WINDOWS\SYSTEM32\DRIVERS\Vchnt5u.SYS
Then click the red x to delete the program.
You will get a conformation window. click yes when it asks you if you want to delete,
but NO if it asks you to reboot computer
Then use killbox to kill this file as well:
C:\WINDOWS\stsheets.dat

Now restart your computer in normal mode.
Run HijackThis and place a check next to the following lines:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 1159680172 auto.search.msn.com
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C: oo.mht!http://superprogdownload.com/download/helps/id/187787/358330926./win.exe
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Then restart your computer and post a new HJT log

wng
User avatar
wng_z3r0
Admin/Teacher Emeritus
 
Posts: 4282
Joined: March 6th, 2005, 8:22 pm

Unread postby ChrisRLG » April 21st, 2005, 6:38 pm

Whilst we appreciate that you may be busy, it has been 10 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 10 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware